Related Articles

For a number of months now, I've been reporting on the November 2009 Norfolk Island ditching of a Westwind jet.
The Australian Transportation Safety Board's investigation of this accident has been widely regarded as a mess, criticized equally by the Australian pilot community, the press and lately, by the country's Senate. As we reported over the weekend, the ATSB's report (PDF) was cited for numerous omissions related to how regulators oversaw Pel-Air, the company that owned the Westwind.

Thorough as the Senate report is, I found one phrase in it that suggests it wasn't written by pilots. Or maybe by pilots with a different view of PIC responsibility than I have. In citing numerous deficiencies in how regulators oversaw Pel-Air, the report said these failings left the pilot "as the last line of defense against an accident."

I found this utterly jarring and the report repeated it several times. The gist of it is this: It's the regulations and operations specs that make flying safe, the pilot is only there if those don't cover all exigencies or novel situations otherwise arise. It's not quite the dog-and-autopilot concept, but it's close. To a degree, it's a semantical distinction, but an important one, nonetheless. To take it to an extreme, when you put on your PIC hat, you are the first thing and the only thing between you and your passengers and an accident—not instruments, not traffic boxes, neither radar nor datalink weather, GPWS, glass panels or BRS parachutes or ATC. And definitely not regulations and ops specs, although they undeniably play a critical role in safety.

Those things provide a basic structure by which to frame decisionmaking, yet they don't help with the novel situations which are perfectly legal, but, if not entirely unsafe, are only safe with no margins worthy of the name. The Pel-Air flight fit that latter description to a T. Given the weather forecast, fuel loads and distance, it was legally dispatched to a remote island with notoriously difficult-to-forecast weather, at night, with the closest airport some 400 miles away and hopelessly beyond fuel range. There was no legal requirement for an alternate, thus one wasn't filed or planned. The pilot had little or no dispatch support from his company and the weather reporting system was sketchy at best.

So at the outset, what the Senate calls the first line of defense—the regulations and op specs—was functionally non-existent, which is the core of the scandal here, in the Senate's reasoning. The Civil Aviation Safety Authority knew all this because it had investigated Pel-Air in depth. Yet it scape-goated pilot error as the primary cause of the accident. The pilot was hardly blameless; you can decide for yourself how to apportion responsibility.
As is the case with so much in flying, survival—or at least accident avoidance—turns on pilot instincts and skills and all the regulations and cockpit gadgets do is provide entertaining diversion and, okay, some helpful data. If all that stuff fails to keep you from extremis in the first place, you fall back on your lowest level of training and hope it's high enough.

What informs the skill and instincts in part is knowledge of previous accidents. That's where many regulations come from, too. It's no exaggeration to say the rules were written in blood.
Systemic safety evolves from unbiased understanding of accident causes and on this point, the ATSB dragged the entire safety edifice backwards. In blaming the pilot for the accident, it failed to account for known failings in CASA's oversight that, in an ideal world, might have shaped or at least informed his judgment or simply flat-out prohibited the flight in equipment suited to the task only if everything went just right but profoundly inadequate if it didn't. This kind of flawed accident investigation sows mistrust and is an absolute menace to advancing safety based on documented experience.

I suspect the Australians will have their hands full fixing this because the Senate report gives the impression that it's a cultural shortcoming within the agencies themselves. At least the investigation into the investigation gives them a good start.

Read More on These Topics

Comments (18)

This actually folds quite well into Mary Grady's most recent article about the lack of enthusiasm in the pilot community. Now agencies and governments view pilots as a problem and see automation and more regulation as a solution. It's chilling to think that indeed everyone IS out to get you if you exercise your own best judgement in a situation.

I wouldn't get too excited about Paul's take on things "first and only" in this context. As a pilot, I know, absolutely and without any damage to my ego, that I am the last line of defence against an accident. In the world of risk management and defences/mitigators in depth, the final step in the chain of things that can change an outcome is me.

In the case at hand, everything that prepared the ground for that flight failed to identify and mitigate the risks. When the pilot launched, he launched in ignorance of the risks that he was facing and without the situational awareness to change the outcome. How did he get that way - the system failed him.

There is absolutely nothing, repeat nothing, in that report that comes close to justifying any thoughts of "agencies and governments view pilots as a problem" or that anybody is "keen to take the pilot out of the cockpit".

"I wouldn't get too excited about Paul's take on things "first and only" in this context. As a pilot, I know, absolutely and without any damage to my ego, that I am the last line of defence against an accident."

I guess that somewhat depends on the type of operation at hand. In Part 91, I'm certainly the first line of defense, since I'm the only one who makes the decision to go or not to go. I don't have a dispatch department planning my route of flight and checking the weather, so that's up to me. I also don't have a maintenance department telling me if the aircraft is legally ready to fly, or ops specs saying, for example, that I can't fly SPIFR if the autopilot is down.

As for commercial flights, sure, one can argue that maybe the pilot really is the last, rather than first, line of defense.

This really is a semantic argument if we want to make it one. Let's just not do it.

What I hear Paul saying is that we need to guard against bureaucracies getting the idea that their regulations can create safety in spite of the pilot rather than by supporting the pilot. Certainly, there has to be some regulations discouraging bad behavior and undue risk taking by everyone involved. However, the focus needs to be on creating a framework that helps everyone, primarily the pilot, maintain safe operations.

The FAA seems to have been going the wrong direction for a while now, but that seems to be a trend of all bureaucracies.

Paul, I am not able to rise to state of indignance over the wording ’The Pilot as Last Defense’. Perhaps it’s that English takes on many forms; UK, US, & AU. However, my Safety background supports the Senates lead to address the weaknesses in the ATSB accident assessment. The Senate document reads like the ‘Challenger’ accident report where systemic issues were investigated and addressed in detail, while the technical cause of the accident was clear.
In this investigation, the choice to launch or not is the Pilot’s responsibility. Having read previous accounts of the flight, the pilot’s focused attention to the destination prevented planning for alternate destinations or decision / turn around points. There existed a longer, northerly route that could have been chosen as well. HIS SINGLE CHOICE ALONE led to the concluding circumstance. However, the other contributing factors of poor weather service, poor communications, bad or no information at departure are systemic elements that can be improved via the implementation of improved services. These were missed by ATSB.
Last year, there were no fatal accidents by US carrier service. It is because the NTSB / FAA identified and addressed the systemic issues that were the major risk factors which caused major accidents. I comment all the efforts of these organizations for these significant improvements.

There was an accident chain. There were people and processes in that chain, other than the pilot and flight crew and their processes. If those other people and processes (the "system") had performed their advertised function, the accident might have been averted. The Senate is asking why that did not happen - especially reasonable since the "system" is expensive to operate.

The Senate is working with the given fact that the pilot was the last line of defense, and failed to prevent the accident. It is not calling for the system to replace the pilot, or have precedence over the pilot. It is simply recognizing that, in this particular accident chain, knowing that the pilot failed to prevent the accident, there may have been other opportunities to prevent it, and is asking why the investigation did not look for those, but simply blamed the pilot.

Pilots place reliance on others - from the designer to the dispatcher and ATC - when operating their aircraft, and it in no way dis-empowers the pilot, to ask whether those others could have done better. For example, if an aircraft had a mechanical failure that rendered it difficult - but possible - to control, the pilot would be the last line of defense. But, if the pilot should fail to prevent the crash, I think people would ask about the design, manufacture and maintenance of the aircraft.

I agree with Paul on this. Most non-flyers think that ATC is virtually "controlling" us at all times and we are just along for the ride. It's not surprising that bureaucrats (probably non-pilots) think the same or even worse.

Barry Schiff was writing in his recent Pilot column about the day when pilots are no longer needed. He said the crew will be a Pilot and a Dog. The Dog's job will be to bite the Pilot if the Pilot ever tries to touch the controls! I'm sure the pilot will be blamed in this case as well :-)

I think it is reasonable to protect a commercial pilot with rules that minimise risk. Otherwise employer pressure may cause him to take chances he really should not take.

That said, US readers should understand the broken nature of Australian Aviation regulation and regulators. At last someone is taking these people to task over their actions or lack thereof. The ATSB, unlike the NTSB, does not investigate all aircraft accidents. They have a certain budget and start at international airlines and work down from there. They run out somewhere around the top end of private operation, if we're lucky. Sport aviation is ignored beyond a mention in the accident summaries by the ATSB.
Sport aviation in Australia is in a situation where CASA delegates to various private bodies(10 at last count), the administration of their activities while claiming the right to set the rules. In reality there is little oversight and some of the bodies work reasonably well, while others like the body "running" soaring, the Gliding Federation of Australia may do internal accident investigation but don't ever release the results to Australian soaring pilots. So the unnecessary carnage continues with many accidents and fatalities where an "instructor" is on board. I know several Australian soaring pilots who also professional pilots who would not let their sons/daughters/loved ones learn to fly in the Australian gliding system.

Well written article, which points to the real problems that face Australian aviation, with a run-away regulator and a safety investigator who has been influenced by the regulator.

Surveillance of operators and approval by the regulator [CASA] of operations, with known issues has been going on for some time. The most notable is the TransAir [may 2005], Lockhart River metro crash with 15 fatalities. At other times, the investigator [ATSB] - Whyalla, just got it wrong. And unfortunately, there are others.

Well done the Australian senate inquiry for getting on with the job and working to the bottom of this one.

It is not just the folks involved in this report who are leaning toward airplanes where the pilot is replaced by computer systems. Many young people think computers are more reliable than people and hope the day will arrive soon where computers fly the airplanes instead of pilots. I guess this is all part of the insanity found in current academia that is quick to adopt future thinking without the required testing and validation.

We saw in the Air France disaster what happens when even two complete air crews don't include anyone who can fly an Airbus without the automation online. This should warn everyone who is not living in a sci-fi movie that the notion of pilotless airliners is faulty. How many more full planes must we lose before the general public discovers pilots will always do a better and safer job flying planes than even the smartest electronics?

Paul - politely - you have no idea what comprises "insanity." What you fail - or refuse - to consider is that the Airbus technology in question is fatally flawed BECAUSE it attempts to introduce humans into the control loop. (Of course, I could go off on never wanting to hear the words "French" and "software" in the same sentence, but let's stay focused here.)

When designing an autonomous control system (call it an "un-tended" system if it makes you feel better), no account is made for human intervention - because it is precluded. Believe it or not, that makes the design job easier and increases the chance of success. (Full disclosure: I've spent a great deal of my 4-decade-plus engineering career designing autonomous control systems for mission-critical applications. In this case, MC means that if the control system fails, somebody is likely to die.)

In the Airbus incident, the software did what it was designed to do - and the entire aircrew screwed up. Bad software? Well, to the extent that the design of the software includes intentional "You've got its" to the crew, yes - THAT's bad software. But that's what they were told to design.

A well-designed autonomous control system (that's not an oxymoron) will provide a huge increase in reliability and safety. It also will offend some human egos. But it will be shameful if we let anthropomorphic hubris shunt aside science in a fit of denial.

I'm afraid you misinterpreted my comment. I never suggested there was a design flaw in the Airbus software. Indeed I believe it was a hardware failure (icing of all the pitot tubes) that led to the fatal accident.

I too spent many years designing both hardware and software for fault tolerant environments. In my case it was mostly communications gear rather than life threatening applications such as the ones you engineered.

Airbus design philosophy puts the pilot in the background and expects the planes to always be flown by the automation. This works just fine until the automation fails. The pilots SHOULD have been able to fly the plane satisfactorily with no automation, but in the dark of night and middle of a thunderstorm and no usable airspeed indications they all failed to notice that the plane was stalled. I understand other crews handled the same scenario just fine in simulators.

My point was to suggest pilots cannot be completely replaced by automation. I have no problem with Boeing's approach which is to consider the PIC to be the primary source of control and the automation to be there to assist him.

I'm glad I don't travel on routes where only Airbus equipment is used. I don't feel their approach is safe enough for use by the general public.

We agree about Airbus technology. And we disagree about the prudence of fielding autonomous control systems in aircraft. Criticisms of autonomous systems are fine - as long as they don't use the shortcomings of non-autonomous systems (like Airbus') as their foundation. Such comparisons simply are not valid.

With regard to the failure mode of the Airbus system, I do consider that to have been the result of flawed software design. In a properly-designed system, critical information is derived from multiple sources - and those sources always are different in kind, rather than merely being redundant in count. A well-designed control system would include real-time calculation of groundspeed, based on data provided from disparate sources, and cross-checked for "sanity." Concurrent variance of airspeed and groundspeed also would be derived. Coupled with sanity-checked derivable heading and altitude data, the control system would have all of the information that it needs to provide usable (that’s the key criterion) airspeed and AOA information - even in the absence of any pitot-static information. In short, that airplane had access to more than enough valid information to determine its airspeed well enough to keep flying safely with its pitot tubes iced over. It just wasn’t designed to use that information or to share it with the flight crew. Call me hyper-critical, but I consider that to be a freshman-quality flaw.

It appears we will just have to disagree on the subject of autonomous system safety as compared to pilot skills. I doubt I will ever be convinced that any automatic system can come even remotely close to the safety of Darwinian system derived self preservation skills. I certainly have never heard of any system that would satisfy me in the role of keeping an airliner full of paying passengers safe.

I appreciate your point of view. It is shared by many people. I hope it makes you feel safe when you climb aboard a commercial plane with no pilot.

As I understand it, the big problem with Airbus planes is the "Fly-by-wire" system treats the pilot's input "Stick" like a video game controller with no feedback given to the pilot. I think the French disaster would have been quickly diverted if the pilot who was holding the stick in the full aft position all the way to the sea had to assert more force in that position than one which allowed the plane to attain flying speed. The Airbus paradigm of pilots being mostly excess baggage prevented that feature in the design.

There are many systemic design flaws (imo) of the Airbus system. One as mentioned is the lack of an interconnection between the two side-sticks, such that one pilot could be applying full aft and the other full forward, and neither will have any feedback on this. Another is the lack of throttle movement when the auto-throttle is controlling it. And yet another is how the pilots had to know to look at a completely different display to see the backup readings, while the primary display will still showing a (largely incorrect and useless) value. This is all poor user interface design, regardless of the rest of the systems flaws.

The goal should either be complete removal of the human element (a bad idea in my opinion, and not just because I like to actually control the craft), or always let the human override the system (even if it requires either additional force or the use of some override system that is obvious to activate). In the case of the former, it really would turn the human pilot(s) into the "last line of defense", and I'd rather it not be that way (as AF447 shows).

I am surprised that no one has quoted chapter and verse. 91.3 dates back to wind powered sailing vessels. (If anyone can tell me what 91.2 was, I would love to hear the story.)
ATC cannot control the airplane. About all they can do is to provide information and clear the airspace. "Destination plus alternate plus 45 minutes" does not account for plan C being 400 miles away.
Society as a whole has serious issues about we who actually do make risk management decisions. Many people are scared of general aviation but do not hesitate to pull in front of a semi truck on the freeway and stomp on their brakes.
Peter

Question of the Week

Picture of the Week

As aviation photos go, this was the best this week but there are some great beauty shots when you click through. In the meantime, congratulations to Daniel Gillette for this very nice photo he calls Sunset Pitch-Out. The photo is copyrighted by Gillette.